With Computer Security Day on Saturday 30th November, Ian Jenkins takes a look at one of the most common forms of malicious online behaviour which could affect any one of us, or our clients – the email scam.
Cybercrime was an industry worth a staggering $1.5 trillion in profits in 2018, which, to put into context, is more than the revenues of Facebook, Amazon, Apple, Netflix and Google combined.
And while there are many forms of malicious online activity, almost any individual or organisation, including high profile professional sports outfits with many legions of fans, could fall victim to an email scam.
What are the main forms of email scam?
These tend not to be malicious but are repetitive and unsolicited. The most common form is commercial in nature. Personal emails will generally receive the ones offering to make you more attractive or wealthy. Business emails centre around offers relevant to business needs.
SPAM emails can originate from either the spammer themselves selling products or attempting to commit fraud or computers infected with a virus or worm sending out bulk emails.
“In 2017 more than 80% of security breaches came from phishing and credential theft” (ictsecuritymagazine.com)
These emails are ‘fishing’ for your personal information; username, password, bank details and the best way to identify these is to look at the ‘from’ email address and verify it is genuine. Sometimes it can be difficult but often there are slight discrepancies in the address, for example a spelling mistake such as, ‘email@example.com’.
BUSINESS EMAIL COMPROMISE (BEC) OR CEO FRAUD
This is an email pertaining to be from the CEO, business owner or senior executive of the company and usually requests an action to take place such as a request to the finance department for a money transfer.
Scammers will either set up an email address using information gleaned from social media or gain access to a real account through a phishing campaign. Both ways will allow them to send emails addressed to the person/persons on 1st name terms using the real names and pictures.
“In 2017, BEC accounted for 11% of cyber security insurance claims. That number grew last year to 23%” (swcomms.co.uk)
This is a harder email scam for the average user to verify legitimacy. It involves forging the email header to appear as though it has originated from a legitimate source and it is a common hacker technique used to trick users into visiting malicious websites or downloading a malicious file through links in e-mails or texts.
So how do you stay safe?
In the fight against email attacks, the use of SPAM filters, firewalls, and correct DNS settings are crucial. However, the most important way of protecting your business from such attacks remains with training.
People will always be the weakest link when it comes to security. Human error accounts for two-thirds of data breaches so check out these tips and share them with your colleagues and friends:
- Try to avoid giving out your e-mail address or any other personal details unless it’s absolutely necessary. It can sometimes be useful to have a `throw away` email address.
- Keep a healthy scepticism but, reduce the risk and install a professional internet security software.
- If you believe an email is phishing for your information, verify it by sending an email to the genuine sender (make sure to open a new email message and use the email address that you know is genuine) and don’t click on any links.
- If you have to send personal information via email use a new message and type in the known and correct email address.
- Always ensure that your organisation has processes which are followed to protect sensitive activities, such as paying money. These should require authentication authorisation checks beyond a simple e-mail request.
- Never send payment details, bank details or passwords in an email, use a service like onetimesecret.com and be especially cautious of emails that trigger a warning banner or message.
- Not all links contained within emails are bad, but it’s good practice to check by typing the website address manually into the address bar of your browser, or find the website through your search engine.
- Adopting DMARC (domain based message authentication reporting and conformance) is also a good way to make spoofing more difficult, this should be something that your IT provider or department can help with.
Businesses can subscribe to @actionfraud on Twitter or similar services to keep up to date with the latest scams affecting the business community and you can also help others by reporting fraud and cybercrime through Action Fraud.
Ian Jenkins is part of Sotic’s Platform and Security Team who help to protect our clients’ digital presence. For more information about how Sotic can help your organisation please contact us on firstname.lastname@example.org.